ClawHub

Children Book Image Generator

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WeryAI image-generation skill, but it needs review because it has under-disclosed setup, persistence, and data-upload behaviors.

Install only if you are comfortable with WeryAI receiving prompts and any reference images, and avoid enabling web search or webhook callbacks unless you understand where data will go. Prefer providing IMAGE_GEN_API_KEY through the runtime environment rather than persisting it to .env, review any first-time setup actions before allowing file writes or installs, and do not pass local reference-image paths unless you intend those files to be uploaded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The setup flow expands a children's image-generation skill into environment inspection, dependency bootstrapping, and credential/configuration handling before the actual task. That broader authority increases attack surface and can cause the agent to perform local system changes unrelated to the user’s immediate illustration request.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
These instructions authorize the agent to install local dependencies on the user’s behalf, which is outside the narrow purpose of generating children’s book images. Allowing an agent to initiate package installation creates unnecessary execution risk, including supply-chain exposure and unexpected workstation changes.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file directs the agent to obtain, handle, and persist API credentials locally in project files or environment configuration. Secret collection and storage are sensitive operations that exceed the stated illustration-generation role and can lead to credential leakage, misuse, or long-lived secrets being written to insecure locations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create and modify workspace configuration files automatically, including writing default model settings without user involvement. Even if operationally convenient, this exceeds a simple content-generation role and normalizes silent file mutation in the user’s workspace.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill exposes a `--use-web-search` capability even though its declared purpose is generating children's book illustrations. Enabling external web search expands data exfiltration and prompt-sourcing behavior beyond user expectations, and in an agent context it can cause the skill to fetch untrusted remote content unrelated to the requested image task.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Arbitrary `webhook_url` support allows this image-generation skill to send task metadata and completion callbacks to attacker-controlled destinations. In an agent environment, that creates an unexpected outbound communication channel that can be abused for data exfiltration, SSRF-like interactions with internal services, or covert signaling outside the skill's stated purpose.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as a children-book image generator, but the hardcoded workflows and role profiles expand it into unrelated domains like covers, rednote/social content, infographics, comics, and articles. This creates a scope mismatch that can cause the agent to perform tasks outside its declared safety and policy boundary, increasing the chance of misuse or inappropriate model selection in contexts the skill was not intended to handle.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The recommendation engine explicitly supports article, infographic, and social-content tasks even though the skill metadata promises only kid-friendly children’s book illustration. That unjustified capability broadens operational scope and may bypass higher-level routing or review assumptions, enabling this skill to be invoked for content classes with different safety, copyright, or moderation requirements.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script goes beyond image generation by automatically running readiness checks and bootstrapping local dependencies, and it may modify the local project state when pending targets are found. In a skill meant for children's-book image generation, this broad local setup behavior is unnecessary and expands the attack surface, especially if invoked in an untrusted repository or with attacker-influenced bootstrap logic.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script writes an EXTEND.md configuration file under the target project and also incorporates environment and home-directory context into readiness behavior. For a children's-book image generation skill, inspecting broader local context and writing project configuration are not required for the core function, so this creates unnecessary capability to alter user workspaces and potentially expose sensitive environment-derived state to other components.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The CLI exposes a `--use-web-search` option and propagates `use_web_search=true` to the third-party gateway, which expands the data-sharing surface beyond straightforward image generation. In a children's-book illustration skill, this capability is not necessary for the stated purpose and can cause user prompts or sensitive project context to be sent to additional external services without clear consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The CLI accepts an arbitrary `--webhook-url` and forwards it to the external API, enabling result callbacks to any attacker-controlled endpoint. This can leak task metadata, generated asset URLs, and potentially user prompt-derived information to untrusted destinations outside the expected image-generation workflow.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The setup script explicitly supports persisting IMAGE_GEN_API_KEY into a local .env file and advertises that behavior in help text. Storing secrets on disk is a sensitive capability that exceeds the narrow end-user function of generating children's book images, and it increases exposure if the project directory is shared, committed, or read by other tooling.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The --scope home option allows writing IMAGE_GEN_API_KEY into a file under the user's home directory, broadening persistence beyond the project and affecting the user's wider environment. For a children's image generator, modifying home-scoped secret material is unnecessary and raises the blast radius if the skill or related tooling is abused.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This wrapper accepts an arbitrary entry-script argument and executes it via `npx bun`, which creates a generic code-execution primitive rather than a narrowly scoped children’s-book image generator. In the context of an agent skill, that means a caller or upstream component could cause execution of unintended local scripts, expanding the skill’s authority well beyond image generation and enabling arbitrary command/script execution with the agent’s environment and inherited variables.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger language around the 'first real generation attempt' and 'first trigger' is vague, which weakens invocation boundaries and can cause setup actions to run in situations the user did not clearly authorize. Ambiguous activation is risky when the subsequent behavior includes environment checks, secret handling, and file writes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The 'silent' readiness pass performs dependency checks and possible bootstrapping before upfront disclosure to the user. Silent preflight actions are dangerous because they conceal potentially user-impacting behavior and reduce meaningful consent over local system inspection and modification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions push the agent to persist an API key locally in a .env file without an explicit warning about the privacy and security implications of local secret storage. This can leave credentials in project directories, backups, shell history, or version-control-adjacent locations where they may be exposed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The default-model initialization instructs silent registry use and immediate config file writes before user disclosure. Silent modification of workspace state undermines user control and makes it easier for a skill to normalize unauthorized file creation and persistent configuration drift.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Local reference images are read from disk, base64-encoded, and sent to the remote WeryAI API. Without an explicit transmission warning or consent checkpoint at the call site, users and upstream agents may unintentionally upload sensitive local files, which is particularly risky in an agent setting where file paths may be supplied indirectly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
At the call site, `useWebSearch` is passed through into the API request without an in-context warning, even though enabling it may send prompt content to external search infrastructure. Because prompts may contain unpublished story text, names, or private creative material, this creates a silent privacy and data-governance risk.

Credential Access

High
Category
Privilege Escalation
Content
-h, --help            Show help

What this does:
  1) Optionally writes IMAGE_GEN_API_KEY into the local skill .env
  2) Runs doctor (read-only)
  3) Ensures a MODELS.json exists (writes the bundled starter if missing)
  4) Initializes EXTEND.md with Nano Banana 2 if no default model exists yet
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
if (isDirectRun) {
  try {
    const args = parseArgs(process.argv.slice(2));
    const apiKeyInput = resolveProvidedApiKey({ apiKey: args.apiKey, persistApiKey: args.persistApiKey, env: process.env });
    const apiKey = writeApiKeyConfig({
      project: args.project,
      homeDir: process.env.HOME ?? null,
Confidence
94% confidence
Finding
.env

VirusTotal

VirusTotal engine telemetry is currently malicious for this artifact.

View on VirusTotal